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Dear Mr. Coulombc: 

One of the responsibilities of the Office of the Privacy Commissioner of Canada is to 
determine whether personal information under the control of federal government institutions is 
being administered in compliance with the fair information handling provisions of the Privacy 
Act (Sections 4 to 8). The mandate for conducting investigative reviews (audits) is contained in 
Section 37 of this Act. 

The purpose of this letter is to inform you of our intention to carry out a review of the 
personal information handling practices related to the operationalization of the Security of 
Canada Information Sharing Act (SCISA). The scope of the review will examine the first six 
months of the implementation of SCISA (August 1, 2015 - January 30, 2016). 


In line with the above, it is requested that you respond to this survey no later than Friday, 
February 19, 2016. The first set of questions concern disclosures made to one of the seventeen 
federal institutions authorized to receive national security information in accordance with SCISA. 
Please indicate: 

1- Which individual(s) within your organization is (are) responsible and accountable for 
deciding whether and what information is disclosed. 

2- Whether institutional policies / guidance documents have been developed to govern 
disclosures. 

3- The number of SCISA disclosures that have taken place (from August 1,2015 to 
January 30, 2016). At a later date, we may follow up to review the specific disclosures. 

4- Whether an assessment was undertaken to determine if Privacy Impact Assessments 
were necessary, and if so, whether they were completed, 

5- For each disclosure that did occur, whether: 

a- the recipient institution was contacted in advance to discuss the relevance of the 
information, 

b- there is documentation that demonstrates how the facts of a given situation met 
me i er oC the legal grounds for disclosure, including relevance to mandate, 

V c- it involved individuals who were not suspected of undermining the security of 
JAN 1 8 Canada at the time of disclosure, 

^ d- the information was for named individuals or a category of individuals, and 

3 0 M D e- Information Sharing Agreements with the recipient institutions arc in place. 
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6- Whether national security information was disclosed to one or more of the 17 federal 
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entities authorized to receive information pursuant to SC1SA, pursuant to legal 
authorities other than SCISA (Y/N). If yes, please indicate whether: 
a- there is a system in place to track these disclosures, 

b- there is documentation that demonstrates how the facts of a given situation met 
the legal grounds for disclosure, 

c- it involved individuals who were not suspected of undermining the security of 
Canada at the time of disclosure, and 

d- the information was for named individuals or a category of individuals. 

The next set of questions is to be answered in your capacity as one of the seventeen federal 
institutions that can now receive or collect information as a result of SCISA. Please indicate: 

7 -Which individual(s) is (are) responsible and accountable for ensuring that received or 
collected information that is not relevant is not retained, and how this is 
operationalized. 

8- Whether institutional policies / guidance documents have been developed to govern 
what information is received or collected and how it is used. 

9- The number of SCISA receipts or collections that have taken place (from August 1, 

2015 to January 30, 2016). At a later date, we may follow up to review the specific 
information that was received or collected. 

10- Whether an assessment was undertaken to determine if Privacy Impact Assessments 
were necessary, and if so, whether they were completed, 

11 - For each disclosure that did occur, whether: 

a- the receiving or collecting institution was contacted in advance ot the disclosure 
to determine whether the disclosed information was relevant, 
b- there is documentation that demonstrates how the facts of a given situation met 
the legal grounds for receiving or collecting the information, including 
relevance to mandate, 

c- it involved individuals who were not suspected of undermining the security of 
Canada at the time that the information was received or collected, 
d- the information was for specific individuals or a category of individuals, and 
e- irrelevant information was received or collected and whether it was eventually 
disposed of (number of cases). 
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12- Whether national security related information was received or collected by your 
institution in accordance with legal authorities other than SCISA (y/n). If so, please 
indicate whether: 

a- there is a system in place to track the information received or collected, 
b- there is documentation that demonstrates how the facts of a given situation met 
the legal grounds for receipt or collection, 
c- it involved individuals who were not suspected of undermining the security of 
Canada at the time of receipt or collection, 
d- the information was for specific individuals or a category of individuals, and 
e- Information Sharing Agreements w r ith the disclosing institutions are in place. 


In your response, it is also requested that you designate a senior official to be our primary 
contact and provide that name to Steven Morgan, Director General, Audit and Review. As our 
review will be subject to very tight timelines, we are requesting that your officials respect a five- 
working-day turnaround time for all subsequent documentation and meeting requests. 
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As part of the reporting process, we may provide recommendations as appropriate for 
enhancing privacy policies, practices, processes, and controls. Rest assured that you will be given 
full opportunity to comment on our findings before a final report is issued. 


Should you have any questions, please do not hesitate to make them known directly to 
Steven Morgan at 819.994.6046. 

We look forward to a cooperative and constructive working relationship with your staff 
during the course of our work. 


Sincerely, 
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Daniel Therrien 

Privacy Commissioner of Canada 
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